I have added the following lines to the inputs.conf on the universal forwarder. But those events are not getting forwarded to Splunk. Any idea as to what I've done wrong here?
[WinEventLog://Microsoft-Exchange-HighAvailability/Operational] disabled = 0 [WinEventLog://Microsoft-Exchange-ManagedAvailability/Monitoring] disabled = 0 [WinEventLog://MSExchange Management] disabled = 0 [WinEventLog://Microsoft-Exchange-MailboxDatabaseFailureItems/Operational] disabled = 0
All of the channels seem to be reasonable, so there is no reason why they shouldn't be read unless there is a permissions issue. Check the log files on the forwarder in %SPLUNKHOME%\var\log\splunk - most notably splunkd.log (you can do this from the splunk instance by searching index=internal source=*splunkd.log host=) for any errors in the WinEventLog modular input.
I have 3 conf files sets. Following are the outputs.conf files.
FYI data is getting to the server. As if in Application and System logs. But not the new non-standard logs I have configured.
# Version 6.1.3 [tcpout] forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_introspection) forwardedindex.filter.disable = false # Version 6.1.3 [tcpout] maxQueueSize = auto forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection) forwardedindex.filter.disable = false indexAndForward = false autoLBFrequency = 30 blockOnCloning = true compressed = false disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 heartbeatFrequency = 30 maxFailuresPerInterval = 2 secsInFailureInterval = 1 maxConnectionsPerIndexer = 2 forceTimebasedAutoLB = false sendCookedData = true connectionTimeout = 20 readTimeout = 300 writeTimeout = 300 useACK = false blockWarnThreshold = 100 [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = oracle:9997 [tcpout-server://oracle:9997]